Experts disagree over the scope of the problem. Some say mainframes remain the most secure computing system around, while others say it's only a matter of time before something really bad happens to Web-connected Big Iron. In the meantime, there are steps customers can take to protect their corporate jewels as they go down this path.
By Johanna Ambrosio
Ask five experts about the security issues raised by connecting mainframes to the Web, and you're likely to get five different shades of gray. One thing they all agree on, however, is that there's been no big-ticket cracking incidents into Big Iron - at least not yet.
Some observers feel that the mainframe remains pretty secure, even after being connected to the Web, because most crackers just don't understand the environment well enough to get in. Mainframes have long been isolated from the outside world by dint of being on an internal SNA or other network that hackers generally can't penetrate. So there's been little opportunity for people to learn the machines well enough to get in. Windows and Unix remain crackers' tools of choice, experts say, because of the platforms' low cost. Also, the complexity of the mainframe keeps many would-be bad guys out.
Stu Henderson, an independent security consultant in Bethesda, Md., maintains that the mainframe's basic architecture makes it the most secure computing platform around, even when connected to the Web. "In every case that I'm aware of, hackers get into mainframes only when there's a back door open," he said, "either when it's been done on purpose or when systems software has been installed improperly." In addition, he maintains, the types of security holes that are open are "widely different" from company to company, so there's little if any possibility of creating a kit that "code kiddies" can use to break into mainframes around the world.
Then, too, Henderson says that Big Iron is inherently more secure against viruses because of its "trusted computing" architecture. "You won't find boot-sector viruses unless someone deliberately puts them there or lets them in," he said.
Not everyone shares his optimism. Most organizations "assume the mainframe is secure," said Patricia Fisher, president and CEO of security consultancy JANUS Associates Inc. in Stamford, Conn. "But we find we can quite easily circumvent those controls and get access to the data." And now organizations are connecting those "less than secure" machines to the Internet, she said. It's a critical area, especially given the times we're living in, Fisher added, because so much of the country's critical infrastructure - nuclear power plants, telephone-system switches and other things - are run by mainframe.
Jim Keohane, president of Multi-Platforms Inc., a Levittown, N.Y.-based consulting company, said that the mainframe is at higher risk than ever. As IBM and other Big Iron suppliers morph their proprietary operating systems into more "open systems" types of software - as has been the case with IBM's OS/390 taking on more Unix-like characteristics - the security risks increase.
"Also, the mainframe is still new to the Web," Keohane maintained, so crackers and other black-hats haven't yet figured out how to exploit the situation.
Still, most large enterprises are at least experimenting with ways of modernizing the life of their mainframe and all the information in it. By one reckoning, 70% of corporate data is still stored on host computers. Putting a Web interface on old applications is a way around having to completely architect legacy systems to get corporate information into new hands.
So, clearly, customers are looking to blend the best of the old with the new. So to make sure the corporate jewels remain safe, there are a few things customers can do. First, make sure to have a multi-disciplinary team select and implement any Web-to-host solutions. There are literally dozens of sub-disciplines involved in this endeavor, including different types of security concerns for mainframe systems software as well as all the sub-systems and applications involved.
Second, take some time to plan. Problems often occur when "someone in marketing says hey, let's do this, and the CIO says okay, and then it becomes a rush job," Henderson said. "No one has time to think about what they're connecting or how to secure it."
Gary Goldberg, general manager for applications at Information Builders Inc. in New York, said there are different security issues depending on what's being done. "With an intranet application, everything's inside the firewall, so there are no [security] issues there," he said. But if giving external customers or partners access to mainframe data, one has to be "extremely careful."
Goldberg talks about three levels of protection: at the internet networking level, via public-key infrastructure or encryption, for instance; at the systems software level, traditionally handled by TopSecret or ACF2 or RACF mainframe security packages; and at the data level, usually handled by the specific application associated with the data. Whatever you do must address all three levels to be really secure, he suggested.
Another thing to consider is the approach you use to open up the mainframe. One can provide direct links into the mainframe data, by hosting the Web application directly on the mainframe, or you can stage the application by moving the relevant information to another server that then communicates with the mainframe only to get the information each day, or for each request. Some observers maintain that the second approach - of staging - is more secure because then the application's entire user community isn't banging around inside the mainframe.
However Peter Goldis, an independent consultant in Cambridge, Mass. specializing in technical aspects of computer security and an "ethical hacker" into mainframes, disagrees. "Once you move user authentication off the mainframe, it can be a problem depending on how secure the other box is," he said. "The mainframe data is no longer protected by centralized access-control software."
To help alleviate some of these concerns, Multi-Platforms' Keohane suggests a centralized security product, one that allows customers to set different business rules for different applications or subsets of data. "You can say that certain subsets of users can have access to certain types of resources on Tuesday from 10 to 11 p.m.," he explained.
JANUS' Fisher recommends that companies treat a Web-connected mainframe just like they would any other distributed machine. Firewalls and intrusion-detection systems are a must, said Fisher. And by all means, do a penetration test, she added. "You need to find out if you have problems, and if you do then you can figure out how to close the gaps."
Just like any other area of security, it ultimately comes down to understanding your risk and making decisions about how to best protect that based on the resources you have to spend on it. "As a customer of a bank who can now write checks or get my balance from anywhere in the world on the Internet, I think it's a good thing" to Web-enable mainframe applications, Goldis said. "But as a security person, I have to say I think we're going backwards. Things aren't what they used to be."
MORE INFORMATION ON THIS TOPIC:
Visit search390 for additional resources on Web enabling the mainframe.
Check out searchSecurity for additional security information.__________________________________
SPONSORED BY: EMC
IS YOUR BUSINESS PROTECTED?
See Industry-Leading Business Continuity Software in Action
Make your business safer and more productive-every day of the year. Watch our online demos and learn how to protect your information through real-time, remote data mirroring. You'll also discover how to work more productively and lower IT costs with software solutions that enable you to:
- reduce backup time
- test applications and speed application development
- load data warehouses, and more.
>>View the EMC business continuity software demos.